Cyber Security: A Real Phishing Email Decrypted

This morning I received a phishing email in my Gmail inbox. Phishing is used by cyber criminals to steal personal information such as login info, credentials, bank/credit card info, etc. This phishing email pretending to be a French bank was cleverly executed, yet also easy to detect as a scam. Here is why:

LOOKS REAL: The phishing email was sent to my Gmail address and used my name (correctly spelled), two pieces of information that the phishers must have stolen from somewhere online.

SCAM: I have never been a customer of this bank ‘Banque Accord’. Moreover, by looking at the sender’s email address, ‘nouvldemostration@sfr.fr’ , it is actually non-sensical, does not contain the bank name, and uses the common domain name ‘sfr.fr’, typically used for individual email addresses. No legitimate bank would use an ‘sfr.fr’ email address. At this point, it is obvious this is a scam.

LOOKS REAL: At first glance, the email looks official. This is a real bank. The text is written in formal French asking you to update credit card information. There is even company legal info at the bottom.

SUSPICION: There is a typo in the text (the negation term ‘ne’ is missing). Legitimate banks typically know how to write and spell properly. On the other hand, cyber criminals are notorious for not mastering properly the French language (even if they are French). The email asks me to click on a link.

For the sake of investigation, I click on the link and am redirected to a website that looks at first glance like a real website. Below are screenshots of the fake website and the real bank website.

LOOKS REAL: This is really nasty. The phishers have put serious efforts to duplicate the appearance of the real bank website (colors, logo, menu, layout of customer login page).

SCAM: Looking at the address bar of the fake website, one can see that the website address ‘espace.banqueaccorrd.eu’ contains a typo (an extra ‘r’ in ‘accord’). No legitimate bank would register a domain with a typo in their own name. In addition, it uses the European domain ‘eu’ and not the French domain ‘fr’, which is not typical for a French bank. The phishers had to do so because they could not register the real bank name. Moreover, the address shows that the website is using a non-SSL connection (it does not start with ‘https’) which means it is not encrypted. All banks use encrypted connections.

This particular bank seems to have been already a target of scams, as shown by the red link in the upper right corner of the real website highlighting email scams.

Had I been a real customer of the bank (and unaware of common cyber scam techniques), this phishing email would have been hard to detect. Phishing emails are increasingly common and sophisticated. Cyber security is relevant to everyone at home and at work.